Search form

Search form

The number of individuals affected by large data breaches in the U.S. has surpassed 19 million based on the 385 incidents reported to the HHS Office for Civil Rights since 2009. Under an interim final rule that went into effect in September 2009, health care groups are required to report to the OCR data breaches involving 500 or more people.

Related Summaries

A recent Office of Inspector General report found that the HHS Office for Civil Rights failed to roll out its official audit initiative required by HITECH to further implement HIPAA regulations, and that its breach notification and compliance data systems were found to be vulnerable to security threats. OCR officials responded to the report, saying, "[N]o monies have been appropriated for OCR to maintain a permanent audit program."

A rise in information analytics and risk evaluation protocols will lead to more data breach incidents being reported next year, HHS Office for Civil Rights Director Leon Rodriguez said. Health groups as well as their business associates will need to devise data breach responses responsibly and decisively to avoid being subjected to more fines, he said.

Data breaches affecting at least 500 patients, complaints from employees or patients, or prior inspections from the Office of Civil Rights can increase an organization's chances of undergoing an OCR audit, say experts Mahmood Sher-Jan and Chris Apgar. The audits are part of the OCR's effort to implement the HIPAA mandate.

The HHS Office for Civil Rights has raised its fiscal year 2012 budget request to $46.7 million from this year's $41.1 million in part because it wants to bolster its efforts to clamp down on data breach incidents. "Additional (full-time employees) are critical if OCR is to successfully investigate the estimated 20,000 combined breach reports and HIPAA complaints that are anticipated to be received annually," the office said.

The HHS Office for Civil Rights has raised its fiscal year 2012 budget request to $46.7 million from this year's $41.1 million in part because it wants to bolster its efforts to clamp down on data breach incidents. "Additional (full-time employees) are critical if OCR is to successfully investigate the estimated 20,000 combined breach reports and HIPAA complaints that are anticipated to be received annually," the office said.